Diffusion FreeBSD src repository 60616b445eb5

heimdal: always confirm PA-PKINIT-KX for anon PKINIT
60616b445eb5
Actions

Description

heimdal: always confirm PA-PKINIT-KX for anon PKINIT

Import upstream 38c797e1a.

Upstream notes:

RFC8062 Section 7 requires verification of the PA-PKINIT-KX key
excahnge when anonymous PKINIT is used.  Failure to do so can
permit an active attacker to become a man-in-the-middle.

Reported by: emaste
Obtained from: upstream 38c797e1a
Security: CVE-2019-12098
MFC after: 1 week

Details

Provenance

cy	Authored on Feb 15 2024, 1:58 AM

Parents

rG9286d46a794f: heimdal: CVE-2022-41916: Check for overflow in _gsskrb5_get_mech()

Branches

Unknown

Tags

Unknown

Event Timeline

cy committed rG60616b445eb5: heimdal: always confirm PA-PKINIT-KX for anon PKINIT (authored by cy).Feb 15 2024, 9:27 PM

cy mentioned this in rGb1b256dd0f4d: heimdal: always confirm PA-PKINIT-KX for anon PKINIT.Feb 21 2024, 1:44 PM

cy mentioned this in rGa311b9d70863: heimdal: always confirm PA-PKINIT-KX for anon PKINIT.

cy mentioned this in rG9f2e70a87d6e: heimdal: always confirm PA-PKINIT-KX for anon PKINIT.Feb 21 2024, 2:02 PM

Changes (2)

Path

Size

crypto/

heimdal/

lib/

krb5/

krb5_locl.h

pkinit.c

rG60616b445eb5

View Options

crypto/heimdal/lib/krb5/krb5_locl.h